Privacy law is toothless without greater transparency

Author

Disclosure statement

Graham Greenleaf does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond the academic appointment above.

What does privacy mean in an age of ongoing privacy breaches? With new privacy law coming online in Australia on March 12, our Privacy in Practice series explores the practical challenges facing Australian business and consumers in a world rethinking privacy.

After more than a quarter of a century, Australia’s federal Privacy Act remains opaque.

We are used to reading complex legislation through the lens of court decisions that tell us what it really means. But only two slight cases illuminate the Privacy Act after 25 years: one confirming that the Act really did mean that “any other person” could seek an injunction, and one saying the Commissioner’s approach to assessment of damages was wrong.

So the Commissioner issues his lore (guidelines etc), and law firms and academics peddle their own, but no-one knows enough reliable law - transparency gap #1. Why this odd situation has arisen needs explanation.

The Privacy Commissioner is about to get more powers to enforce the Act – civil penalties (fines) for serious or repeated breaches, enforceable undertakings, and powers to enforce Commissioner-initiated investigations – all of which are needed. But expanded powers will be of limited value unless they are used and their use is transparent, visible to individuals who want to use the Act to protect their rights, companies and agencies who must respond to complaints, and (most important) the lawyers and NGOs, advisers and intermediaries.

Unless all interested parties know the real tariff for breaching the Act (not just the formal possibilities), and all of the enforcement toolkit of the Act actually gets used, then there are no effective feedback loops to discourage breaches, encourage complaints, and encourage compliance. If this is to be achieved after the April empowerment, the Commissioner will have to lift his game on the transparency front.

Until now, the Commissioner’s one significant power has been to make “determinations” (formal decisions) under section 52, including compensation payments where appropriate. When made, these formal decisions are accompanied by a reasonably lengthy explanation of how the Commissioner applied the law, and the respondent is named. The problem is that the Commissioner completes over 1500 complaints per year (2012/13 figures) but doesn’t make any formal decisions: one in 2012/13, none since then.

Since the private sector came under the Act in 2001, Commissioners have only made seven such decisions, a bit more than half a formal decision per year - transparency gap #2. Most complaints are resolved through a mediated settlement or by being discontinued on one of the many grounds available.

Decisions in the dark

In the absence of court decisions, or formal Commissioner’s decisions, summaries of important or illustrative complaints are the best information available on how the Act is interpreted and applied.

From 2001-2011 Commissioners published on average 20 complaint summaries per year, but in January 2012 they suddenly stopped, and the Commissioner has published only one since - transparency gap #3. Five reports of investigations initiated by the Commissioner have been published in that time.

Next month, for the first time, dissatisfied complainants and respondents will obtain a right of appeal on the merits of their complaint. They can appeal to the Administrative Appeals Tribunal, against the Commissioner’s formal decisions under section 52. If appeals occur, AAT and court decisions will at last shine some light into corners of the Act.

The problem, based on the track record of all Commissioners for over a decade, is that only 0.5 persons per year will be able to consider appealing, because there are no decisions to appeal against. But surely a party will now demand that the Commissioner makes a decision in their complaint, if they don’t like the way it is going, so they can then haul him into court and have reason prevail? Unfortunately not, because successive Commissioners have insisted they won’t make decisions just because complainants insist they do, and will dismiss complaints if they think “the respondent has dealt adequately with the complaint”, though the complainant disagrees. Transparency gap #4 awaits.

Shining a light on compensation

In fact, by laboriously combining figures from different tables in Annual Reports, and making some assumptions about averages, it is possible to conservatively estimate that A$131,000 was paid in compensation to 45 complainants in 2012/13, an average of $2,911.

Depending on the year, about 3-5% of complaints result in compensation payments. These figures are unspectacular, but valuable to anyone wanting to understand how privacy law actually works. It is commendable that they are provided (most Privacy Commissioners don’t do so), but they need to be consolidated and more visible. Compensation is the second most frequent remedy arising from complaints, after apologies.

It is therefore a matter of hope, not expectation, that the Privacy Commissioner will use his new powers, that he will do so transparently, and that he will open the door to privacy law appeals.